On 18 July 2022, the Data Protection and Digital Information Bill was introduced into Parliament following a consultation on data protection reform by the DCMS last year. Whilst the government has stated that it wants data reform to boost innovation, economic growth, and protect the public as part of a regime which is “based on common sense, not box ticking”, the proposed Bill is not the radical package of changes some organisations might have hoped for. This is perhaps not surprising given the threat to the UK’s adequacy status were the UK to move substantially away from the EU GDPR. We take a look at some of the key changes below.
Reform of the Accountability Framework
Goodbye Data Protection Officers
The role of DPO is to be replaced by a suitable ‘senior responsible individual’ (SRI) who is required to oversee data protection compliance. The SRI should be part of the organisation's senior management but the role is largely similar to that of the DPO. This removal of the DPO role may be of benefit to smaller organisations who do not have the personnel who meet the criteria for a DPO (in particular the requirement to be independent) and who have to engage an external DPO. It is not clear whether existing DPOs (particularly external DPOs) can transition into the new SRI role and also whether the DPO of any organisation that must comply with the EU GDPR in addition to the UK GDPR, can fulfil the ‘senior responsible individual’ role as well. Hopefully ICO guidance will clarify that this is the case.
Data Protection Impact Assessments
Those hoping for an overhaul of the current internal assessments required to process personal data may be disappointed. While the requirement to undertake data protection impact assessments (DPIAs) will be removed, organisations will still need to demonstrate their identification, assessment and management of the risks of processing personal data. Nevertheless, organisations will be free to choose their own approach to demonstrating the above.
Record of Processing Activities (ROPA)
Article 30 (ROPA) is to be omitted and replaced by a slightly less burdensome requirement for record keeping. Records must still be kept but the requirement to maintain records of processing activities is set to be replaced with a requirement to maintain personal data inventories.
High risk processing consultations
In addition to the removal of DPIAs, organisations will no longer be required to conduct a consultation with the ICO when processing high risk data. This will now be a voluntary process and organisations may choose whether or not they wish to continue this practice going forward.
The Bill removes the requirement for controllers/processors that are not established in the UK but come within the scope of the UK GDPR, to have a UK based representative.
Recognised Legitimate Interests
The Bill introduces a pre-approved list of recognised legitimate interest bases which automatically satisfy the balancing test required to rely on legitimate interests as a lawful basis. These are focused on public interest and are:
The government will be able to add additional legitimate interests to this list later on.
Redefining Personal Data
The Bill sets out some changes to the definition of ‘personal data’. The government’s aim is to clarify when an individual is identifiable and within the scope of data protection law and to “avoid setting an impossibly high standard for anonymization”.
Information will be personal data:
if the individual can be identified from the information by the controller/processor at the time of processing using reasonable means;
where the controller/processor knows or ought to know that another person is likely to obtain the information as a result of the processing and the individual will be, or is likely to be, identifiable by that other person using reasonable means.
Right to refuse excessive data subject access requests (DSARs)
Organisations hoping that the reforms would significantly reduce the burden of data subject access requests (particularly where used to obtain disclosure before making an employment related claim or commencing litigation) may be disappointed by the scope of changes that have made it into the Bill. The Bill does lower the threshold for refusing a DSAR from “manifestly unfounded or excessive” to “vexatious or excessive”. Examples of the types of requests that organisations may consider vexatious or excessive are provided in the Bill and include requests that are:
an abuse of process;
intended to cause distress; or
not made in good faith.
It will remain to be seen how much of a change this will be in reality and further guidance from the ICO will be important.
Automated Decision Making
The Bill is set to replace Article 22 (GDPR) with a new provision which clarifies the definition of a ‘solely automated’ decision as being a decision made without meaningful human involvement. Further, the Bill will only restrict automated decision-making where special category data is being processed. The safeguards have been expanded to include an obligation on controllers to provide information to data subjects regarding any automated decisions that have been made; this will allow the data subject to contest the decisions, make representations and also obtain human intervention.
Direct Marketing and Cookies
There has been much discussion regarding cookies and the number of pop-up notices and banners that are served on websites which are a source of annoyance to many and often simply accepted without being read. Under the Bill, organisations will no longer need to obtain consent from individuals for the use of statistics and preference cookies and cookies used to install security updates or for geolocation of an individual in an emergency. Individuals will still need to be given a right to object to the cookies (save for the emergency geolocation cookies) so, for now, it is not the end to cookies notices and banners.
The Bill also paves the way in the future to remove cookies banners altogether. However, this will only take place when the government deems browser-based solutions to be widely available. Consent for cookies will in any case continue to be a requirement for websites likely to be accessed by children (e.g. those caught by the Age Appropriate Design Code).
The fines that the ICO can impose under the Privacy and Electronic Communications Regulations (PECR) are to be brought in line with those under the GDPR. Therefore, fines of up to the higher of £17.5m or 4% of an organisation’s annual global turnover are possible.
When making an adequacy decision, the Secretary of State will apply a data protection test and is able to have regard to any matters it considers relevant including the desirability of the data transfer to and from the UK.
It is the government’s aim for the UK to be “a leader in digital trade and the world’s most attractive data marketplace”. It wants to unburden businesses, boost the economy and help innovation whilst maintaining high data protection standards. However, in making any reforms, it needs to tread a careful line. Any changes that move the UK’s data protection regime too far away from the EU GDPR will threaten the UK’s EU adequacy status which many consider to be a price too high to pay for data protection reform. The Bill is expected to make its way through parliament after the summer recess, with no doubt more changes due. With the UK’s adequacy decision due to expire in 2025, all eyes will be on the passage of the Bill through Parliament and comment from the EU.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.